An attacker can set the filename in the request to /home/ubuntu/.ssh/authorized_keys with his own ssh public key in the data, and get access to the ec2 instance, resulting in hijacking the server.
def handle_uploaded_file(uploaded_file):
# Define the directory where you want to save the file, relative to your media root.
upload_directory = 'uploads/' # This is a subdirectory within the media root.
# Create the full path for the uploaded file.
file_path = os.path.join(settings.MEDIA_ROOT, upload_directory, uploaded_file.name)
# Open the file and save it to the desired location.
with open(file_path, 'wb') as destination:
for chunk in uploaded_file.chunks():
destination.write(chunk)
zAbuQasem
commented
1 year ago
In the following code snippet,
os.path.join()function is acceptinguploaded_file.nameparameter https://github.com/mtahle/CrowdTweet/blob/61e474aa0d372c5511331ca2e093448c28ffacd8/apps/post/utils.py#L11 While this seems to be secure, however if an attacker supplied an absolute path to file, it will override the previous parameters in the function, for example:An attacker can set the filename in the request to
/home/ubuntu/.ssh/authorized_keyswith his own ssh public key in the data, and get access to the ec2 instance, resulting in hijacking the server.